September 20, 2021

Volume XI, Number 263

Advertisement

September 20, 2021

Subscribe to Latest Legal News and Analysis

September 17, 2021

Subscribe to Latest Legal News and Analysis

SEC Settles Charges Against Real Estate Services Company Over Control Failures Related to Cybersecurity Disclosure

On June 15, 2021, the SEC announced it settled charges against real estate services company First American Financial Corporation (“First American”) for alleged violation of Rule 13a-15(a) of the Exchange Act. The SEC charged First American with failure to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning a software vulnerability that led to a cybersecurity incident was filed with the Commission.

On May 24, 2019, a cybersecurity journalist notified First American of a vulnerability in its document transmission software that had exposed over 800 million title and escrow document images containing sensitive personal data, such as Social Security numbers and financial information. The vulnerability allowed access to confidential documents without authorization in the event digits in URLs linking to personal files were altered. In addition, the lack of password protection on certain documents allowed publicly available search engines to cache documents shared via the software.

In response to the journalist’s notice, First American issued a statement and filed a Form 8-K with the SEC. According to the SEC, however, the senior executives responsible for these disclosures lacked information to fully evaluate the company’s cybersecurity responsiveness and the risk from the vulnerability at the time they approved the company’s disclosures. Specifically, the SEC found that the information security staff at First American had discovered the vulnerability months before receiving the journalist’s notice but that (i) the company failed to remediate the defect according to its own vulnerability remediation management policies and (ii) relevant personnel did not inform senior executives responsible for disclosures about these facts until after the company furnished a Form 8-K to the Commission.

The Chief of the SEC Enforcement Division’s Cyber Unit, Kristina Littman, noted, “As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it. Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”

First American agreed to cease and desist from committing or causing future violations of Exchange Act Rule 13a-15 and to pay a civil money penalty of $487,616.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 181
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement